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Abstract. In this paper we study a class of dynamical systems generated 
by iterations of multivariate permutation polynomial systems which lead to 
polynomial growth of the degrees of these iterations. Using these estimates 
and the same techniques studied previously for inversive generators, we bound 
exponential sums along the orbits of these dynamical systems and show that 
they admit much stronger estimates "on average" over all initial values v S 
F™ + 1 than in the general case and thus can be of use for pseudorandom number 
generation. 



1. Introduction 

Let J 7 = {/o, . . . , fm} be a system of m + 1 polynomials inm+1 variables over 
an arbitrary field. One can naturally define a dynamical system generated by its 
iterations, see [3J [3T] and references therein for various aspects of such dynamical 
systems, and consider the orbits obtained by such iterations evaluated at a certain 
initial value (vo, . . . ,v m ). The statistical uniformity of the distribution (measured 
by the discrepancy) of one and multidimensional nonlinear polynomial generators 
over a finite field have been studied in [6l [7J [I7J [HI E2]- However, almost all pre- 
viously known results are nontrivial only for those polynomial generators that pro- 
duce sequences of extremely large period, which could be hard to achieve in practice 
(the only known exceptions are generators from inversions |16j , power functions [4] , 
Dickson polynomials [5] and Redei functions |8|). The reason behind this is that 
typically the degree of iterated polynomial systems grows exponentially, and that 
in all previous results the saving over the trivial bound has been logarithmic. Fur- 
thermore, it is easy to see that in the one-dimensional case (that is, for m = 0) 
the exponential growth of the degree of iterations of a nonlinear polynomial is un- 
avoidable. One also expects the same behaviour in the multidimensional case for 
"random" polynomials /o, . . . , f m - However, as we saw in [19] . for some specially 
selected polynomials /o, . . . , f m the degree may grow significantly slower. 

In [19] we describe a rather wide class of polynomial systems with polynomial 
growth of the degree of their iterations. As a result we obtain much better estimates 
of exponential sums, and thus of the discrepancy, for vectors generated by these 
iterations (after scaling them to the unit cube) , with a saving over the trivial bound 
being a power of p. 

Obtaining stronger results "on average" over all initial values v £ F™ +1 is an 
interesting and challenging question. We remark that in the case of the so-called 
inversive generator rather stronger estimates "on average" are available (see |16j ) 
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and also estimates for the average distribution of powers and primitive elements of 
the inversive generators are considered in [1]. In this paper we study this problem 
by following the same arguments introduced for the inversive generator in |16j . For 
this we define a special family of multivariate polynomial systems of |19j . which 
beside the polynomial degree growth also leads to permutation polynomial systems. 
In turn this allows us to use the approach of |16) to obtain a stronger bound on the 
discrepancy "on average" over initial values. 

Furthermore, here we exploit the special structure of iterations of the polyno- 
mial systems of [H] that allows us to replace the use of the Weil bound (see [T2l 
Chapter 5]) by a more elementary and stronger estimate on the corresponding ex- 
ponential sums which in turn leads to a better final result and for more general 
systems of congruences. In fact, since our construction can easily be extended to 
polynomials over commutative rings, the new estimate can also be used to study 
polynomials maps over residue rings (while the Weil bound does not apply there). 
This estimate can also be used to improve and generalise the main result of [19 . 

Finally, we note that we also hope that our results may be of use for some 
applications in polynomial dynamical systems. 

Throughout the paper, the implied constants in the symbols 'O' and '<C' may 
occasionally, where obvious, depend on some integer parameter s > 1 and are 
absolute otherwise. We recall that the notations A = 0(B) and A <C B are all 
equivalent to the assertion that the inequality \A\ < c\B\ holds for some constant 
c> 0. 



2. Permutation Polynomial Dynamical System with Slow Degree 

Growth 

2.1. General construction. We recall and modify the construction of [19] of 
multivariate polynomial systems with slow degree growth. Let F be an arbitrary 
field and let the polynomials g^, hi £ FLYi + i, . . . , X m ], i = 0, • • • ,m — 1, satisfy- 
ing the following conditions: each polynomial gi has a unique leading monomial 
X i+l +1 ■ ■ ■ Xm m , that is, 

(1) gi{Xi+i, . . . , X m ) = X^^ 1 . . . X^ m + gi(X i+ x, . . . , X m ), 
where 

(2) deg x . g~i < s itj , deg Xj h t < s itj , 

for i = 0, . . . , m — 1, j = i + 1, . . . , m. 

Throughout, we use deg to denote the total degree of a multivariate polynomial. 
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We construct now a system T = {/o, . . . , f m } of m + 1 polynomials in the ring 
F[Xq, . . . , X m ] defined in the following way: 



(3) 



where 



fo(Xo, . . . , X m ) — Xogo(Xi, . . . , X m ) + ho(Xi, . . . , X m ), 
fi(Xo, . . . , X m ) = X\gi(X2, ■ ■ ■ , X m ) + h\(X2, • ■ • , X m ), 

fm-i(Xo, ■ ■ ■ ,X m ) = X m -ig m -i(X m ) + h m -i{X m ), 
fm(Xo, . . . , X rn ) = aX m + b, 

a, 6 G F, a ^ 0, and g i: hi G ¥[X i+ t, . . . ,X m ], i = 0, ...,m — 1, 



are defined as above. 

For each i = 0, . . . , m we define the fc-th iteration of the polynomials ft by the 
recurrence relation 

(4) /f 0) =^, fi k) =fi(j!> k - 1) ,...,fg- l) ), k = 0,l,.... 

(k) 

The following result shows the exact form of the polynomials n and also the 
polynomial growth of the degrees of the polynomials Xtgi, i — 0, ...,m, under 
iterations. 

Lemma 1. Let fo,...,f m G ¥[Xq, . . . ,X m ] be as in ((3J, satisfying the condi- 
tions fl} and |2|). Then for the polynomials f- ■ , k = 1,2,..., given by © 
have 

fi = Xigi^(Xi + i, . . . , X m ) + hi^(Xi + i, . . . , X m ) 
where g^k, hi,* G F[Xi+i, . . . ,X m ] and 

degg ljfe = - — — 7r7k m " > s ii+ i ...s m ^ lm + i/>i(k), i = 0, ...,m-l, 
(to — 1)1 

degg mi k = 0, 
where ipi(T) G Q[T] is a polynomial of degree degipi < m — i. 

Proof. We have 

,(fc) _ f (fc-l) / f (fc-i) f (fe-i) > | , h . ( Ak-i) f (k-i)\ 

Ji —Ji ill \Ji+l '■■■iJm I T Ui+1 f-iJm J' 

Thus an easy inductive argument implies that 

fi ■* = Xigi t k(Xi+i, . . . , X m ) + hi : k{Xi + i, . . . , X m ) 

for some polynomials gi,k,h t , k G FpQ+i, . . . ,X m ], with deg^fc > deg/i ijfe , where 

i = 0, . . . , m, k = 1, 2, 

For the asymptotic formulas for the degrees of the polynomials g^k see [TH1 

Lemma 1] where it is given in the equivalent form for deg f^ — degg^ + 1. □ 
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2.2. Permutation polynomial systems. In order to be able to apply the tech- 
nique introduced in |16j for inversive pseudorandom number generators, we need 
to work with systems of multivariate polynomials in F p LYo, . . . , X m ] which induce 
maps that permute the elements of F™ +1 . Lidl and Niederreiter [12j [13] call such 
systems orthogonal polynomial systems, but we here refer to them as permutation 
polynomial systems. 

Let the polynomial system J- = {/o,...,/ m }, m > 1, be defined by (j3|) and 
satisfy the conditions (TTJ) and ©. It is obvious that this system is a permutation 
system if and only if the polynomials gi, i = 0, . . . , m, do not have zeros over ¥ p . 

We note that a "typical" absolute irreducible polynomial in m > 2 variables 
over W p always has lots of zeros. By a special case of the Lang- Weil theorem [11] 
a polynomial F in m > 2 variables over F p always has rp™- 1 + 0(p m - 3/2 ) zeros 
where r is the number of absolutely irreducible factors of F (with the implied 
constant depending only on degF), see also [3D]. That is why we seek "atypical" 
polynomials, as the example below shows. 

One of the attractive choices of polynomials which would lead to a fast PRNG 

is 

m — i 

9i(Xi + i, X m ) = Y[ - a i,j) 

j=i 

and 

hi(Xi + i, . . . , X m ) = hi 

where aij are quadratic nonresidues and bi are any constants in F p . 
Even simpler, one can take 

9i(Xi+i, . . . , X m ) — [X i+1 — at) 

where a, are quadratic nonresidues. 

3. Polynomial Pseudorandom Number Generators 

3.1. Construction. Let T = {/o, . . . , f m } be a permutation polynomial system in 
FpLYo, . . . , X m ) defined as in Section[2] We fix a vector v € Fp" +1 and consider the 
sequence defined by a recurrence congruence modulo a prime p of the form 

(5) U«+M = M u n,0, ■ ■ ■ ,Un,m) (mod p), U = 0, 1, . . . , 

with the initial values (iio.Oi • • • > uo.m) = v. We also assume that < u„, t < p, 

i = 0, . . . , m, n = 0, 1, 

In particular, for any n, k > and i = 0, . . . , m we have 

(6) u„ +fe! i(v) =/,• (u„,o(v),...,m„ iTO (v)). 
Using the following vector notation 

u n (v) = (u„, (v), . . . , u„ >m _i(v)) 
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we have the recurrence relation 

U„ +fc (v) = (/ (fc) (u„ j0 (v), . . .,W„, m (v)), . . .,/m-l( u n,o(v),.. . ,U n>m (v))). 



We show that for almost all initial values v £ F™ +1 , the sequence 



(7) 



Wn,o(v) «n,m-l(v) 



n = 0, 



,JV-1, 



is uniformly distributed for all N > (\ogp) 2+£ , any fixed e > and sufficiently 
large p. 

3.2. Exponential Sums. We put 

&m{z) = exp(27rzz/m). 

Our second main tool is the following bound on exponential sums which is 
stronger than the one immediately implied by the Weil bound (see [TSJ Chapter 5]). 

Lemma 2. Let fo,...,f m £ ¥ p [Xq, . . . , X m ] be as in ([3]), satisfying the condi- 
tions flU and ©. If so,i ■ • • Sm— i,m ; i/ien there is a positive integer kg depend- 
ing only on the degrees of the polynomials in J- such that for any integers k > I > ko 
and any nonzero a = (do, . . . , a m -i) G Fp™> for the polynomial 

m— 1 



i=0 



we /iaue 



XI ep(F a , fe ,/(x ,...,x m )) <€k m p m . 

Proof. Let s < m - 1 be the smallest integer such that a s 7^ 0. By Lemma [T] we 
have 

p 

e p (-F a ,fc,/(^o, ■ • ■ ,x m )) 



Xq . . ...X m — 1 



e M X] ai ( x ^9i>k - 9%,i) + {hi,k - hi t i)) 

XQ,....X m — l \ 2 = / 

p fm— 1 N 

P s X! e p X! ai ( x i(9i,k - gi.i) + (hi,k - h it i)) 



,x m = l 
P 



m — 1 



P S X! e P\ hs ' k ~ hs ' 1 + X! a * ( x i(dhk - 9i,l) + {h,k - hij)) 

a; s + i,...,a; m = l \ i—s-{-l y 

P 



^ e p (a s x s (g s , k - g s ,i)) 



x s = l 
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Then the sum over the variable x s is nonzero only if its coefficient 

g St k(x s+ i,...,x m ) - g St i(x s+ i,...,x m ) = (mod p), 

see [331 Equation (5.9)]. 

We see from Lemma[T]that if k > I > ko for a sufficiently large fco then g s .k—gs,i is 
a nontrivial polynomial modulo p of degree 0(k m ~ s ) = 0(k m ). A simple inductive 
argument shows that a nontrivial modulo p polynomial in r variables of degree D 
may have only 0(Dp r ~ 1 ) zeros modulo p, which concludes the proof. □ 

We note that we do not include the linear polynomials fm and f m in -Fk.fe./ 
as generally speaking in this case such a linear combination may vanish even for 
nontrivial coefficients (note that it is possible that fm = fm for k ^ I). 

We follow the scheme previously introduced in |16] for estimating the exponential 
sum introduced below, and thus the discrepancy of a sequence of points. 

For a vector a = (ao, . . . , a m -i) S F£* and integers c, M, N with M > 1 and 
N > 1, we introduce 



V*, e (M,N)= J2 



N-1 



m— 1 

E e p ( E a jfj n) ( v o, 

3=0 



,«m) e M (cn) 



n=0 



Note that as in Lemma [2] we do not include polynomials fffl in the above expo- 
nential sum. 

Lemma 3. Let the permutation polynomial system of m + 1 polynomials J- = 
{/())•••) /m} S IFpI^o, . • • , X m ] o/ fotaZ degree d > 2 of the form {3]), satisfying the 
conditions §Q and |2]) . Then for any positive integers c, M, N and any nonzero 
vector a = (ao, . . . , a m -i) G ^™ we have 

V a , c (M,N)<^A(N,p), 

where 

Np m+1 if N <p 1 /(to+i) ) 

jy2 m(m+2)/(m+l) if N > p 1 /( m + 1 ). 



Proof. We have 



JV-1 



Va, e (M,JV) = ^ e M (c(fc-0) 



k,l=0 



E 



E °J (^" fe) («0, ■ ■ ■ , «m) - K, • 

m—1 

E a J ("»'■■■,%)- fj l) (v , 

.3=0 



i>o,...,u m eF p 



JV-1 

^ E 

fc,i=0 



E 



v ,...,v m £¥ p 
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For O(N) values of k and I which are equal, we estimate the inner sum trivially by 



„m+l 



For the other values, by Lemma [5] getting the upper bound 0(N m p m ) for the 
inner sum for at most iV 2 sums. Hence, 



(8) 



V a , c (M, N) < Np m+1 + N m+2 p m 



Because T is a permutation polynomial system and using (JBJ , for any integer L we 
obtain 



E 

VQ,...,V m £Fp 



L+N-l / m-l 



E e P ( E a lfj n) ( V °' ■ ■ ■ ' W ™) ) 
J=0 



C/7 I 



n—L 



E 



JV-1 /m-l 



E e P E a ?'4" ) (/o L) ( u °' • ■ • ' • ■ • ' /m } («o, ■ • ■ , Um)) e M (cn) 



n=0 \ j=0 

JV-1 I m-l 



- E 



E e P E a jfj \"0i ■ ■ -' v rn) ] e M (cn) 

n=0 V j=0 



V & , C {M,N). 



Therefore, for any positive integer K < N, separating the inner sum into at most 
N/K + 1 subsums of length at most K, and using ©, we derive 

V a , c (M, N) < (Kp m+1 + K m+2 p m )N 2 K- 2 = N 2 (K- 1 p m+l + K m p m ). 

Thus, selecting K = min{iV, [p 1 /(™+i)J } anc i taking into account that N~ 1 p m+1 > 
N m p m for N < we obtain the desired result. □ 

Note that the estimates for V^ )C (M, N) work not only over prime fields, but also 
over any finite field. 

We also need the identity (see [5]) 



(9) 



^ e m (ab 

-(m-l)/2<o<m/2 



if b ^ (mod to) 
to if b = (mod to) 



Then we have the following inequality 

L+Q 



(10) 



^ e m (cr) < min I Q, 

r=L+l 



<C mm < m, 



c +1 



which holds for any integers c, <5 and L with |c| < to/2, and m > Q > 1, see [HI 
Bound (8.6)]. 
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3.3. Discrepancy. Given a sequence F of N points 

(ii) r = {( 7 „,o,...,7^-i)^=o 1 } 

in the s-dimensional unit cube [0, l) s it is natural to measure the level of its statis- 
tical uniformity in terms of the discrepancy A(r). More precisely, 

T r (B) 



A(r) = sup 

BC[0,1) 



- B 



N 

where Tr (B) is the number of points of T inside the box 

B=[a u p 1 ) x ... x [a s ,[3 s ) C [0, l) s 
and the supremum is taken over all such boxes, see [2l [TO] ■ 



We recall that the discrepancy is a widely accepted quantitative measure of 
uniformity of distribution of sequences, and thus good pseudorandom sequences 
should (after an appropriate scaling) have a small discrepancy, see [21 [TS] . 

For an integer vector a = (ao, . . . , a s -i) € Z s we put 



s-1 



^max^Jajl, r(a) = JJ max{|a.,-|, 1}. 



Typically the bounds on the discrepancy of a sequence are derived from bounds 
of exponential sums with elements of this sequence. The relation is made explicit 
in the celebrated Erdds-Turan-Koksma inequality, see [21 Theorem 1.21], which we 
present in the following form. 

Lemma 4. For any integer L > 1 and any sequence T of N points (jll[) the dis- 
crepancy A(r) satisfies the following bound: 



A(r) < O 





s-1 
3=0 



Now, as in |16j . combining Lemma [4] with the bound obtained in Lemma [3] we 
obtain stronger estimates for the discrepancy "on average" over all initial values. 

Theorem 5. Let < e < 1 and let the sequence {u„} be given by ([5]), where the 
permutation system of m + 1 polynomials T = {/ , . . . , f m } S F p [X , . . . , X m ] of 
total degree d > 2 is of the form satisfying the conditions ([T]) and and 
such that Sq } i . . . s m _i jm ^ 0. Then for all initial values v S F™ +1 except at most 
0(ep m+1 ) of them, and any positive integer N < p m+ , the discrepancy -Djv(v) of 
the sequence satisfies the bound 

D N (y) «£- 1 S(^,p), 

where 

/ N- 1 / 2 (logN) m+1 logp if N < p i/('»+i) j 
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Proof. Without loss of generality we can assume that N > 2. From Lemma |4] with 
G = [N/2\ we derive 



Dn{v)<< n + n E . ^) 



0<|a|<Af/2 



N—l /m-1 
n=0 \ j=0 



Let m v = 2 y , i/ = 0, 1, . . ., and define k > 1 by the condition m^-i < N < nik- 
From © we derive 

N-l (m-\ 
n=0 \ j=0 



, mu— 1 Im—X 

Wfc n=0 \j=0 
Since rrife/2 = m^-i, from (|10[) we obtain 

JV-l /ro-1 
n=0 V j=0 



JV-1 



Z Z e ™ fe ( C ("~ r ))- 

(m fc -l)/2<c<m fc /2 r=0 



c+l 



|c|<m fc _i 



m fc — 1 / m— 1 

Z e P Z a J u «,j(v) ) e mk (cn) 

n=0 \ j=0 



It follows that 

(12) 

where 

A fe (v) 



D N (v) < A fe (v), 
f-^ r(a) ^ c+l 

c|<m fc _i 

■ifc— 1 f m—\ 



1 | 1 

TV TO fc ^ r(a) 

0<|a|<m fc _i |c|<m fc _i 



n=0 \ i=0 



Now 



pTTl+l ^ ^ 1 



v=(vo,-..,v m )SFj 



■ E 

«o,...,t) m eF ! , 



0<|a|<mj-_i 
m fc — 1 / m— 1 



n=0 \ j=0 
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Applying the Cauchy inequality, from Lemma [3] we derive 

mz, — 1 / m— 1 



E 

Therefore 



E e P E a jfj ( v o,---,v m ) ] e mk (cn) 

n=Q \ j=0 



<p(-+D/2A(m fe ,p) 1 / 2 . 



^ ky ' N TO fe ^ r a ^ c +1 

-,v m £¥ p 0<|a|<m fe _i v ' |c|<m fe _i 1 1 

p (m+l)/2 A ( mfe;P )l/2( logTOfc )m+l 



where we used the standard bound for partial sums of the harmonic series in the 
last step. Thus, for each k = 1, . . . , [log(p m+1 )] , the inequality 

no \ a / % ^ A(m k , p) 1 ^ 2 (log m k ) m+1 log p _ x 

(13) A fc (v)> £mkp ( m+ i)/2 = e B(m k ,p) 

can hold for at most 0(ep m+1 / logp) values of Vq, ■ . • , f m £ F p . Therefore the num- 
ber of vq, ■ ■ ■ , v m e F p for which (fLU holds for at least one k = 1, . . . , |~log(p" l+1 )] 
is 0(ep m+1 ). For all other vo, . . . ,v m , we get from (fT2|) . 

Z?jv(v) < A fc (v) < e- 1 fl(m fc ,p) < e^B^p) 

for 1 < AT < p m+1 , where we used m k — 2m k -\ < 2N in the last step. □ 



4. Remarks and Open Questions 

As we have mentioned, one of the attractive choices of polynomials ©, which 
leads to a very fast pseudorandom number generator is 

9i(Xi+i, . . . , X m ) — X 2 +1 — a,i and hi(Xi+\, . . . , X m ) = 6$ 

for some quadratic nonresidues a% and any constants 6j, i = 0, ...,m — 1. The 
corresponding sequence of vectors is generated at the cost of two multiplications 
per component. This naturally leads to a question of studying in what cases the 
periods of such sequences generated by such polynomial dynamical systems are 
maximal. 

We also note that it is natural to consider the joint distribution of several con- 
secutive vectors 

(u„(v),...,u n+s _i(v)), n = 0,l,... , 

in the sm-dimensional space. It seems that the scheme used in |19) can be also 
applied to derive such a result. 
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